Commit graph

231 commits

Author SHA1 Message Date
Derick Alangi 82d876ada8 Handlers: Drop AutoPromoteGroupsHandler::factory()
This patch solves a pending TODO which is to remove the ::factory()
method from the AutoPromoteGroupsHandler class. If the cache instance
is injected, we'll use it otherwise we'll default to a HashBagOStuff.

Bug: T358346
Change-Id: I2bc414da8733431d1d11025e954282fc7c73aa80
2024-03-06 21:38:12 +00:00
MusikAnimal 2c9801766d Remove $wgAbuseFilterBlockedExternalDomainsNotification and related code
This feature never worked very well, and the original wish
https://w.wiki/7ZsE didn't ask for a 2010 editor solution, anyway.
Rather than have AbuseFilterBlockedExternalDomainsNotification linger in
an unstable state, we remove the code entirely.

Bug: T347435
Follow-Up: I7eae55f12da9ee58be5786bfc153e549b09598e7
Change-Id: I88e87c4e0a2968b892394461b1227f4d15938e8e
2024-02-20 23:01:02 +00:00
James D. Forrester 947e437566 extension.json: Drop RL targets definitions, no longer honoured
Bug: T328497
Change-Id: Ifed1146525a3b4370844144c7dafa2af0a98bd16
2024-01-12 08:38:57 -05:00
Umherirrender bd84a6514c Use namespaced classes
This requires 1.42 for some new names

Changes to the use statements done automatically via script
Addition of missing use statements and changes to docs done manually

Change-Id: Ic1e2c9a0c891382744e4792bba1effece48e53f3
2023-12-10 23:03:12 +01:00
MusikAnimal 7db0e05aeb Show notification when editor links to a blocked domain
This leverages the new BlockedExternalDomains system that is now part of
AbuseFilter. It notifies editors in realtime if a link they add is
blocked. See https://w.wiki/7ZsF for more information.

BlockedExternalDomains is slated to have its own API tantamount to the
action=spamblacklist endpoint, after which case this code will need to be
updated. In the meantime, it's meant to serve as a minimal viable product
for the CWS 2023 wish <https://w.wiki/7ZsE> for wikitext users.

The new $wgAbuseFilterBlockedExternalDomainsNotification configuration
setting controls the availability of this feature.

A similar feature for VisaulEditor is tracked at T276857

Bug: T347435
Change-Id: I7eae55f12da9ee58be5786bfc153e549b09598e7
2023-10-31 15:32:02 +00:00
Daimona Eaytoy 85f8f90531 Clean up AbuseFilterConsequencesTest a bit
Most notably, make it not use additional DB tables to test global
filters. Instead, just pretend that the local database is not local (via
config) and "hide" local filters with a simple test-only flag in
FilterLookup.

Change-Id: Ib431dbf6c9d84978ee84e7f0671cfcbf8a54d7a2
2023-08-19 15:31:41 +00:00
Umherirrender 8e6d820154 Use HookHandlers for UserMerge hook
Bug: T254306
Depends-On: Ib78dae49854863af1a37a00636737c94694776ae
Change-Id: If2bc517fb612199f4d744efbfa261ee5c556b6a5
2023-08-16 09:44:30 +02:00
Umherirrender a328477b8d Use HookHandlers for Echo hook
Bug: T254306
Depends-On: Iffa2b409502b4269c9746e0304feb4aaee37a86e
Change-Id: I0e27c535367b37b7038a54955e43ff96d9c81d32
2023-08-16 00:18:02 +02:00
Amir Sarabadani 049e602b07 BlockedDomains: Move filtering logic to a dedicated class
I'm planning to add support for bypass and regex-based blocking which
means it'll grow a bit. So let's give it a dedicated class.

Bug: T337431
Change-Id: I5a6fe2fd2f1efdebd8cada0ba6c481341f830e27
2023-08-06 16:27:23 +02:00
AnaïsGueyte 2efd6d9ac9 Replace userNameUtils with UserIdentityUtils
Where UserIdentity is available and where it's necessary to check ::isNamed

Bug: T342741
Change-Id: I5b52686f1c072282e76874f3863962345ca8097e
2023-07-27 10:29:31 -03:00
Amir Sarabadani ec51620957 Restrict view of "abusefilterblockeddomainhit" logs to "*"
That is noop but at the same time prevents logs of hitting blocked domains
list from showing up in watchlists.

Change-Id: I56225f80bb7d87841fd991f5cde49e67bdb5823a
2023-06-27 20:16:00 +02:00
Timo Tijhof 110484b6a0 BlockedExternalDomains: De-duplicate validateDomain logic
Bug: T337431
Change-Id: Icbedf750f6ecaa9caf7bb900e8ad0bc2124e8743
2023-06-19 13:36:32 +00:00
Timo Tijhof 203d54be11 BlockedExternalDomains: Optimize host extraction by using parse_url
Unlike what the 20-year old source comments in UrlUtils.php would
have you believe, parse_url() works fine nowadays, including for
protocol-relative URLs and indeed lots of prod code uses it directly.

The class still has some convenience value for case where you need to
expand or manipulate URLs, but for the common case of extracting a part
of it, you really don't need it.

Test plan:
$ php phpunit.php ../../extensions/AbuseFilter/tests/phpunit/integration/FilteredActionsHandlerTest.php

Bug: T337431
Change-Id: I1e76d2f5aef65365743214530faba656325b965a
2023-06-19 13:36:27 +00:00
Amir Sarabadani da53cfe9dd BlockedDomains: Add logging in case of hit
This is basically copy paste of SpamBlacklist logging with the added
extra bit of what triggered the hit.

Bug: T337431
Change-Id: Ieb9e3ca615af88ab56735b56e24c80c42a68d478
2023-06-14 22:23:50 +02:00
Amir Sarabadani 0acfe05251 Add abusefilter-bypass-blocked-external-domains right
This is similar to sboverride right in SpamBlacklist. Defaults are also
the same

Bug: T337431
Change-Id: Iaff91c1f9f7aece0787348dd071701ef99e0291d
2023-06-08 22:06:19 +02:00
Siddharth VP 8a22007034 BlockedExternalDomains: validate JSON structure before save
This makes raw page editing safer, and potentially enables opening up
access to less restricted user groups.

Bug: T337431
Change-Id: I14f21003a551f34b6e524e9b229613e79b0e5a70
2023-06-06 23:31:28 +02:00
jenkins-bot 3feb7d5af0 Merge "BlockedDomains: Put a cache behind parsing of notes of blocked domains" 2023-06-04 15:33:00 +00:00
Amir Sarabadani be928818a4 BlockedDomains: Put a cache behind parsing of notes of blocked domains
It'll be 6K rows in enwiki, parsing 6000 wikitext notes is going to be
expensive.

Bug: T337431
Change-Id: I010d773a7b096c783f5da0d6997d946b3bfd6b6e
2023-06-02 20:13:33 +02:00
James D. Forrester fb50c1f019 BlockedExternalDomains: Make this a special right, prohibit direct editing
Bug: T337431
Bug: T279275
Change-Id: I96d1e2c8d8728c26e38515032ef773770e26dda4
2023-06-01 09:20:44 -04:00
Amir Sarabadani 53eb27f086 Introduce Special:BlockedExternalDomains
It is behind a feature flag. Improvements on it can happen in follow
ups. The patch is already quite massive.

Bug: T337431
Bug: T279275
Change-Id: I3df949c4d41ce65bb4afa013da9c691ac05fc760
2023-05-30 20:48:42 +02:00
AnaïsGueyte d42b7335d5 Update user type checks to handle temporary users
* Set the same block expiry for temp and anon users
* Don't block autopromote for temp users; they can't be autopromoted
* Bail early from CheckUserHandler if the user is temporary

Bug: T335062
Change-Id: I6b72537f568c4c70a0b86f1825ea30b767f5634a
2023-05-25 17:26:58 -02:30
gerritbot 3f7e5c9271 Update moved class WikiMap
See T321882. Moved in I60cf4b9ef02b9d5

Bug: T321681
Change-Id: I2c9a5dbde0080984dad1a23eba52504c4b7df4d1
2023-04-25 09:52:41 +00:00
jenkins-bot 98bcf77ed0 Merge "Use renamed CheckUserInsert*Hook interfaces" 2023-04-24 00:08:12 +00:00
Dreamy Jazz ee1996c244 Add missing CheckUser hooks to extension.json which have handlers
Add the CheckUser hooks CheckUserInsertPrivateEventRow and
CheckUserInsertLogEventRow to extension.json which were both added
to the CheckUser CheckUserHandler, but mistakenly not added to
extension.json in 8e4a1237f1.

Bug: T324907
Follow-Up: Id78417e9d95220946f110afbe1430df5b3bb4f4f
Change-Id: I7a53f1933a0dafa66973a773a551c497b2eb5b05
2023-04-22 19:22:08 +01:00
Umherirrender 6fabca14c8 Use renamed CheckUserInsert*Hook interfaces
Follow-Up: I8d632f2808fde57c977c0ed22531db7b3741beef
Change-Id: I88bee654f80d9c40996ebef75136f310520a496f
2023-04-22 20:06:24 +02:00
jenkins-bot d3b5dbb092 Merge "Add tests for extension.json and services" 2023-04-20 00:48:30 +00:00
Matěj Suchánek dcd07fddc2 Drop obsolete reference from config description
The other migration was done meanwhile.

Change-Id: I7f3867dfa746ace26836677a7cbc2b4d9cf1d314
Follows-Up: Ic755526d5f989c4a66b1d37527cda235f61cb437
2023-03-29 09:45:12 +02:00
Matěj Suchánek 0628dbdab6 Add tests for extension.json and services
Change-Id: Ie83e4a85a408e1ba1d2cc827c4bf353bdd5500df
2023-03-28 09:35:02 +02:00
jenkins-bot 290dd70bb2 Merge "Replace deprecated database object access methods" 2023-03-27 09:11:46 +00:00
jenkins-bot 9fcf5d92d1 Merge "Use actor table in AbuseFilter" 2023-03-26 00:25:50 +00:00
Matěj Suchánek bb78cb0a56 Use actor table in AbuseFilter
This patch migrates abuse_filter and abuse_filter_history tables
to new actor schema.

MigrateActorsAF was copy-pasted from core's
maintenance/includes/MigrateActors.php before removal (ba3155214).

Bug: T188180
Change-Id: Ic755526d5f989c4a66b1d37527cda235f61cb437
2023-03-22 14:01:29 +01:00
Daimona Eaytoy 31210e66f5 Re-add BC alias for the VariableHolder class
Looks like it's needed for the UpdateVarDumps script, so add a note
about that. Also add a type check to the script so that it produces a
clearer error message if it finds an entity with unexpected type.

Bug: T331861
Change-Id: I68f8f954ed754c4282e13599ce06118e2336ecbb
2023-03-13 13:46:09 +01:00
Matěj Suchánek 8f6a428f02 Replace deprecated database object access methods
Use the very new getPrimaryDatabase and getReplicaDatabase.
We skip FilterLookup and CentralDBManager in this patch.

Change-Id: I22c6f8fa60be90599ee177a4ac4a97e1547f79be
2023-03-08 16:50:56 +01:00
Taavi Väänänen 7789ce1090
UserRenameHandler: Use core RenameUser classes
Bug: T27482
Change-Id: Ia36cd6d0ae8562101f8bcb0ddbf647097b6a8429
2023-03-08 12:53:43 +02:00
dreamyjazz 627a73ec5e Ensure IP, XFF and UA are valid for abuse filter user actions in CheckUser
Change the IP to 127.0.0.1 (to indicate an internal IP), and blank
the XFF and UA when the performer of an action being logged by
CheckUser is the abuse filter user. Actions performed by the abuse
filter user can only be initated by the software, and as such should
not use the request's IP, XFF and UA. Also test the newly added
code.

Bug: T44345
Depends-On: I28acaaebd2d0067b700da0930e7b7ba924fa5c1c
Change-Id: Idd77545af94f9f9930d9ff38ab6423a72e680df9
2022-11-11 23:19:22 +00:00
Tim Starling cdf2f474e8 FilterProfiler: use WRStats
A new core facility written for this use case.

Bug: T310662
Depends-On: I26b1cdba0a06ad16ad8bb71b455e1b6180924d17
Change-Id: I2b902d034a8c3308c0ba9878b69e873ca8fbda52
2022-07-06 09:35:08 +10:00
Umherirrender 9abc464e3d Use UserIdentity/Authority in SpecialAbuseLog
Change-Id: I5b3b2b758e17c94298e7217d755dd8c7b08cb1ac
2022-06-28 19:30:37 +02:00
Tim Starling 855347b4a4 Configure FilterProfiler cache separately
Since it seems to be the bulk of the traffic to the mainstash in
production.

Bug: T212129
Change-Id: Id20223ac03ada16b3ad4bd47744dea5e415cf160
2022-06-14 15:30:02 +10:00
Daimona Eaytoy 59eb3b70fb Inject dependencies into the authentication provider
- Define it with the extension.json key, instead of using the
  registration callback
- Inject the services it needs
- Replace direct User instantiation with UserFactory
- Move log subtypes to extension.json as well

Change-Id: I86a761c7fa844b1f417b974798373622a15f6411
2022-04-09 18:44:25 +02:00
jenkins-bot b07a7c80fe Merge "Update description of AbuseFilterEmergencyDisableThreshold" 2022-02-26 14:26:15 +00:00
jenkins-bot 6b9098eae1 Merge "Replace use of deprecated OutputPage::enableClientCache( false )" 2022-02-10 07:01:54 +00:00
Reedy 62380ccb9a Drop non namespaced back compat aliases
Change-Id: I013959b13e233b6ee577d2b959c2f222687b0c7b
2022-02-06 14:16:10 +00:00
C. Scott Ananian aecfc7e62e Replace use of deprecated OutputPage::enableClientCache( false )
Replaced with the more readable ::disableClientCache() method, added
in 1.38.  Minimum MW version bumped to match.

Depends-On: I7c89e20528a0d91173f0edcb997dcae631935ee5
Change-Id: I91d0b8e8f69a2d309b6fc61e13bfb5d86dc0218d
2022-02-04 14:29:43 -05:00
Matěj Suchánek 9ed8fa7f3c Update description of AbuseFilterEmergencyDisableThreshold
The emergency disable feature does not depend on profiling
data anymore since b8ac52c.

Change-Id: Ibf3282f13c23e6b3d95cfd156132253d56afb28a
2022-01-24 13:36:24 +01:00
Daimona Eaytoy dae374aec2 Remove afl_filter entirely
As per T220791, the old schema and the flag can be removed in 1.38.

Bug: T220791
Change-Id: Ic6b1c8a22d17a301faf32d2e23778d90c41c39de
2021-09-18 11:06:10 +00:00
Daimona Eaytoy a722dfe1a4 Rename ParserFactory -> RuleCheckerFactory
The old parser now has the correct name "Evaluator", so the
ParserFactory name was outdated. Additionally, the plan is to create a
new RuleChecker class, acting as a facade for the different
parsing-related stages (lexer, parser, evaluator, etc.), which is what
most if not all callers should use. The RuleCheckerFactory still returns
a FilterEvaluator for now.
Also, "Parser" is a specific term defining *how* things happen
internally, whereas "RuleChecker" describes *what* callers should expect
from the new class.

Change-Id: I25b47a162d933c1e385175aae715ca38872b1442
2021-09-08 21:59:34 +02:00
Daimona Eaytoy e9795468c4 Switch filterable actions hooks to the new system
Bug: T261067
Bug: T211680
Change-Id: I0e7e4a48b56c3e5fde56f50693fd0cdc19c30dd0
2021-08-16 14:18:56 +00:00
jenkins-bot 97f805b67c Merge "Bump MW requirement to 1.37" 2021-06-26 14:19:01 +00:00
Daimona Eaytoy e56dcc7cb1 Bump MW requirement to 1.37
The master version of the extension is only meant to support the most
recent version of MediaWiki.

Change-Id: I33612e69fc37bf5eb70133c8f0e95199dd7fcb65
2021-06-26 14:18:43 +02:00
Tim Starling 2c939e28a9 Move onUserMergeAccountFields to its own file
Sharing a handler class with UserRenameHandler means that attempting to
merge users fails due to a missing interface if AbuseFilter and MergeUser
are installed but Renameuser is not installed.

Change-Id: I1244ab1c446840ff2648248f943d7fc784b889a7
2021-05-06 11:33:24 +10:00